Overview

overview

10

Static

static

PRODUCTS INQUIRY.exe

windows7_x64

10

PRODUCTS INQUIRY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0c6dd0b18295829d752936a1f5a6a1c1d8f984dfcb78eb084ba629f3addb5462

  • Size

    372KB

  • Sample

    220520-2rrpfafhb8

  • MD5

    9bd41b297db712beb2fa7c7688fc3072

  • SHA1

    ac46dc56afe883163b2b31535d06b28ba3190cd8

  • SHA256

    0c6dd0b18295829d752936a1f5a6a1c1d8f984dfcb78eb084ba629f3addb5462

  • SHA512

    424aad7db43a5278811161927ca017220ad9f6f0f432c63c7e848b7cf3099d23ef624e5462b928dd14f24f48a1c9d4ec484b264ab8daa621eba91983521b4471

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.aquariuslogistics.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    AQL@2019#$

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.aquariuslogistics.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    AQL@2019#$

Targets

    • Target

      PRODUCTS INQUIRY.exe

    • Size

      424KB

    • MD5

      27046fd97f839d57e3c19f66bcbbb3af

    • SHA1

      2773004ab886097ca44cca67b0a87f372f720f21

    • SHA256

      70a7c18aa0fb1b6a542988faad566ef09a748042d6451bb7cd50871ff95e09ca

    • SHA512

      09640209fceb6d80799b3c9a2054d27e02a6066ba03c66b0d4e52baafe2c12b5dc8d92bdd2a3451d9cf839e0c341379066d1e63124589f4f2cb9e7d3af5931cf

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks